package com.inspur.cloud.configuration;

import com.inspur.cloud.security.ApiAuthenticationFilter;
import com.inspur.cloud.security.ApiAutoLoginFilter;
import com.inspur.cloud.security.ApiEntryPoint;
import com.inspur.cloud.security.UsernamePasswordAuthenticationProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Autowired
    private UsernamePasswordAuthenticationProvider usernamePasswordAuthenticationProvider;

    @Autowired
    private ApiEntryPoint apiEntryPoint;

    /**
     * 配置认证信息和授权
     * @param auth
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) {

        auth.authenticationProvider(usernamePasswordAuthenticationProvider);
    }
    /**
     * 拦截请求资源
     * @param http
     * @throws Exception
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "/**").denyAll()
                .antMatchers(HttpMethod.HEAD, "/**").denyAll().
                antMatchers("/dataspace/api/v1/**").
                authenticated().and().headers().frameOptions().disable().and().exceptionHandling().
                authenticationEntryPoint(apiEntryPoint).and().
                addFilterBefore(apiAutoLoginFilter(), BasicAuthenticationFilter.class).
                addFilterAt(apiAuthenticationFilter(), BasicAuthenticationFilter.class);
        http.headers().contentSecurityPolicy("default-src 'none';script-src 'self' 'unsafe-inline' 'unsafe-eval';connect-src 'self' wss://*:*;img-src 'self' data:;frame-src 'self';font-src 'self';object-src 'self';style-src 'self' 'unsafe-inline'");

    }

    @Bean
    public ApiAuthenticationFilter apiAuthenticationFilter() {
        ApiAuthenticationFilter filter = new ApiAuthenticationFilter(authenticationManager, apiEntryPoint);
        return filter;
    }

    @Bean
    public ApiAutoLoginFilter apiAutoLoginFilter() {
        ApiAutoLoginFilter filter = new ApiAutoLoginFilter(authenticationManager, apiEntryPoint);
        return filter;
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        //获取验证码不需要身份验证
        web.ignoring().antMatchers(HttpMethod.GET, "/dataspace/api/v1/verifyCode");
        web.ignoring().antMatchers(HttpMethod.GET, "/dataspace/api/v1/verifyCode/need");
        web.ignoring().antMatchers(HttpMethod.GET, "/dataspace/api/v1/common/*");
    }
}
